Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to avoid BREACH attacks in rails?

I've been reading about the BREACH attack and, despites that is an attack that involves a web application in a server level too, I was wondering if there's something to block these kind of attacks in Rails.
I've found breach-mitigation-rails that they say is not a bullet-proof solution, just to mitigate an attack in someways. Something else around there?

like image 513
Alter Lagos Avatar asked Aug 07 '13 17:08

Alter Lagos


1 Answers

The presenters of BREACH have put up a website with further details. The listed mitigations, ordered by effectiveness, are:

  1. Disabling HTTP compression
  2. Separating secrets from user input
  3. Randomizing secrets per request
  4. Masking secrets
  5. Protecting vulnerable pages with CSRF
  6. Length hiding
  7. Rate-limiting requests

HTTP compression can fairly easily be disabled at the server, at the expense of efficiency.

The breach-mitigation-rails gem addresses points #4 and #6. It is likely to break caching and increase page size.

Another interesting fix works on point #4, with none of the negative impacts on efficiency, but it does require javascript (which can help cut down on spam submissions, anyway).

An official fix is also being discussed.

You may also find this non-rails-specific question interesting - https://security.stackexchange.com/questions/39925/breach-a-new-attack-against-http-what-can-be-done.

like image 152
Brad Werth Avatar answered Nov 09 '22 03:11

Brad Werth